Looking for security at the intersection of technology and the liberal arts

By now, the news that criminals have hacked into the cloud accounts of several celebrities and stole their photos--often including those of a ... personal nature--has been widely covered in the mainstream media, the trade press, and social media circles.

On one hand, this accident has brought some much needed attention to the importance of privacy and security in our daily lives: As more and more of our personal data gets "into the cloud," it becomes increasingly critical, and more difficult, to keep it away from prying eyes.

On the other hand, however, the wide range of responses in the media has also opened a window into just how complex these issues are, and how far we, as a society, are from tackling them in a comprehensive way.

Blame the victim?

When faced with this kind of news, it's often easy to blame the victims, either subtly, by wondering why people choose to take nude selfies, or crassly, by pointing out that, had they not chosen to take naked pictures, there would be no scandal to speak of at all. (No links for these people, but a Google search will, sadly, bring up far too many of them in a jiffy.)

A more subtle form of victim-blaming also comes in the form of placing the fault for the breach on the celebrities for failing to properly secure their accounts with strong passwords.

Now, I'm sure that we can all agree that proper password hygiene is important, and I would wager that the average Macworld reader is well acquainted with practices like avoiding weak passwords and using two-factor authentication. But for every technically-savvy mobile user out there, thousands more have a much more rudimentary understanding of how computers work. Many are just beginning to come to terms with using technology without being afraid that it will blow up in their face.

Put another way, security experts have been trying to get the world at large to adopt good security for decades, and very few people seem to be listening. At some point, blaming users for not educating themselves or being more careful just becomes a way to bury our heads in the sand and ignore a bigger issue. After all, if the address book of one of your friends is stolen and your personal information gets spilled all over the Internet, their problem becomes your problem, regardless of how well-versed you are with the ins and out of computer security.

Not a technology problem

At the opposite spectrum of the reactions to the breach, we find a number of pundits proposing technological solutions to the problem.

For example, in a blog post on the organization's website, the ACLU's Chris Soghoian suggests that makers of mobile platforms should offer a "private photo" mode that doesn't save pictures to the cloud. Speaking of large mobile operating system developers like Apple and Google, he writes:

These companies can and should offer a "private photo" option for sensitive photos that prevents them from being uploaded to the cloud.

I'll be honest: While this proposal has been widely praised in the press, I've spent the last few days scratching my head and wondering if this solution misses the larger issue. Obviously, photos deserve to be treated with a high degree of respect for security and privacy by cloud providers and users alike, but they represent just some of the important information that criminals could get their hands on if they guessed your iCloud password and managed to restore your backups to a device they control.

Let me give you an example: If you were to scour my Photo Stream, you'd find an endless collection of parking lot signs and hotel placards--the simple consequence of the fact that, when you start pushing forty and travel a lot, your biggest concern becomes making sure you can find your rental car and avoid accidentally walking into someone else's room at the end of a long workday.

Were I to ever start taking nude selfies--nothing to write home about, I assure you--the embarrassment of seeing them plastered all over the Internet would pale in comparison to the fear of my address book, banking credentials, and all the other sensitive information that I regularly back up to iCloud being stolen. And as new technologies like HomeKit and HealthKit promise to push more and more of that sensitive information into the cloud, it only gets worse. When someone can ruin you financially, take everything you own, and burn down your home by breaking into your account, focusing on keeping your naughty bits private seems a bit like missing the forest for the trees.

Even worse, I suspect that a private-photo feature would add complexity, and complexity tends not to scale very well. Apple has reported an installation base of some 600 million devices, which means that a feature that works well for 99 percent of customers potentially translates into several million people who either can't take private pictures, or who take private pictures, then lose or reset their devices, eventually showing up at an Apple Store in tears because an iPhone ate their children's priceless birthday photos. (Daring Fireball's John Gruber makes a similar point, though on a slightly different topic, while discussing the importance of backups in a recent post.)

Apple's response

It's counterproductive to look at security as a purely technical problem, because the technical aspects of security have (at least in principle) already been widely addressed. Apple could jack up the security of iCloud by requiring hundred-character passwords, for example, and the five remaining users of the service would enjoy an excellent level of safety.

Similarly, the folks from Cupertino could start requiring two-factor authentication for more services, including the ability to restore from an iCloud backup, but that decision would come with its own set of challenges. For example, it would be hard to send a text message to a device before it has been activated (SMS messaging might work for iPhones, but iPads and iPods owners would be out of luck, and not everyone has a mobile phone)--and, at least for now, logging into iCloud is part of the activation process for many users.

Still, it's clear that this problem needs a solution. In an excellent analysis of the breach for TidBITS, Macworld contributor Rich Mogull notes:

These kinds of attacks are only going to increase, and cloud services need to make it easier for users to implement higher levels of security, without destroying the user experience. It's the kind of challenge well-suited to Apple's strengths, now it's time for the company to step up to the next level.

I couldn't agree more. The solution to our security problems, if there is one, lies at the intersection between technology and usability. The good news is that's exactly where you'll find Apple's greatest ability to make a dent: Consider, for example, how the introduction of Touch ID in the iPhone 5s has brought biometric authentication within reach of millions of people, greatly enhancing their safety without requiring them to make significant changes to the way they use their devices.

The company's response to the recent hacking incident has, so far, been rather bland--and a little disappointing for an organization that has made privacy the centerpiece of its mobile strategy. Still, that's just the way Apple likes to play: The fact that we are faced with a timid press release instead of a full on apology could simply mean that it's already hard at work on new security measures that will make their debut in the coming weeks or months.

Hopefully, Apple will be able to look at security as a human problem that can only be solved through a combination of advanced technologies, clever interaction, and subtle user education, leading the industry towards a future in which we can all be a little safer.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleiCloudGooglesecurityprivacyphotos

More about AppleGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marco Tabini

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place